I'm also curious about this. Not necessarily because I feel Sync is insecure, but for the peace of mind. I think I'll continue to keep my passwords offline and just sync my bookmarks for the time being.

The only reason I would guess they haven't implemented 2 factor authentication is that they don't feel they can do it correctly yet, or there isn't a large enough demand for it. I think they would also need to make some sort of Firefox Authenticator app since SMS isn't really secure.

However, since the Sync password isn't stored online anywhere and all of your data is encrypted before it's sent to their servers, the only way anyone should be able to get to your data is by lifting or brute forcing your password. For the time being, using a very long and complex password should suffice, so long as you can keep it a secret.

I tried to find a place to submit feature requests or view planned changes. I found their bug tracking site which has a Sync section here, and their "roadmap" here. I was hoping for something more like a github repo.

After digging a little more I found the Sync server on github which can be self hosted and should be modifiable to add 2fa as well as a sync-dev mailing list. I also found a blog post of theirs where the DB leaks you mentioned did lead to Sync accounts being compromised due to password reuse, which hadn't occurred to me. I'm still not positive where the best place to make a feature request would be. Maybe Firefox could be the first major player to implement SQRL when it's finally released.

Sync doesn't really need 2fa as it only sends already encrypted data to the Sync server, along the encrypted HTTPS connection. NO ONE without access to the dual "keys" that were created from your Firefox Account Password can decrypt your data - even you. And if you should change your Firefox Account Password your data is deleted from the Syncs server as a different Password would create different "keys" which couldn't decrypt your data.

You can view the kA & kB "keys" in the Logins Manager next to chrome://FirefoxAccounts (Firefox Accounts Credentials) if you hover over the Passwords column - dual 60 character alpha/numeric strings.

Plus your Firefox Account Password isn't sent to the Sync server with your other Passwords; which can't be read by anyone connected with Mozilla anyways - without those dual "keys" which remain on your devices and only work theu a Firefox installation that created those "keys" and those devices that you connected to the Sync account.

That said, I have heard mention of a 2fa configuration coming to Firefox; but no eta and no mention of what it might entail. with regards to SYnc services